09-02-2008 9:59 AM
Hello
I have a problem with SAP_ALL. Somebody have regenerated this profile so now I have all the new authorization object in SAP_ALL. I tried to modify the &_SAP_ALL_16 (it's the profile which contains the new authorization object in the SAP_ALL profile) in order to delete the new authorization object.
I have a message "Generated profiles can only be displayed".
Somebody can help me please ?
Thanks for your help.
Mélanie
09-02-2008 10:47 AM
Hi Melanie,
the aim of SAP_ALL is, to contain all authorizations.
there are only some small exceptions, which can be configured. You can find them in SAP note #410424.
The function to update generated profiles is disabled (of course with a little debuging it is still possible.....).
b.rgds, Bernhard
09-02-2008 10:05 AM
Hi,
You shouldn't try to remove access from SAP_ALL (only SAP does that for 1 object).
If you need access that isn't "everything" then you should create a role which contains the specific access.
09-02-2008 1:23 PM
I know this but we have a lot of specific authorization object and specific program. We need only standard object in SAP_ALL. So with this regeneration we have all the specific also and it's bad for us.
Do you have a solution for us to clean this profile and to transfer all the specific to the SAP_NEW profile ?
Thanks
Mélanie
09-02-2008 1:30 PM
> We need only standard object in SAP_ALL. So with this regeneration we have all the specific also and it's bad for us.
If what you mean by "specific" is your own customer objects... then you can make an entry in table PRGN_CUST id = 'ADD_ALL_CUST_OBJECTS' path = 'N'.
Then make sure you have a role which can run report RSUSR406 (regenerate SAP_ALL) and not just SAP_ALL, because you can delete SAP_ALL and then regenerate it without the customer objects.
> Do you have a solution for us to clean this profile and to transfer all the specific to the SAP_NEW profile ?
You should not do this. SAP_NEW is for introducing SAP's own new objects. After upgrading your roles, you should delete it and regenerate SAP_ALL.
That way, you never need SAP_NEW - except during upgrades.
Cheers,
Julius
09-02-2008 1:33 PM
> I know this but we have a lot of specific authorization object and specific program. We need only standard object in SAP_ALL. So with this regeneration we have all the specific also and it's bad for us.
With which you actually say SAP's expected standard behaviour is bad for you...
> Do you have a solution for us to clean this profile and to transfer all the specific to the SAP_NEW profile ?
I really think you should abandon all quests to rid SAP_ALL of unwanted objects.
If it's even possible (Okay, that is possible for your own objects, see Julius' post) you'll risk encountering the same problem after each upgrade.....
Some helpful consultant will push the 'regenerate' button in the future.
You can however create a role based on SAP_ALL and tune that to your need. Just create an empty role, save, got to the authorizations tab and select SAP_ALL as the template.
Edited by: Jurjen Heeck on Sep 2, 2008 2:40 PM
09-02-2008 2:26 PM
> Some helpful consultant will push the 'regenerate' button in the future.
Not withstanding possible organizational reasons why this might be usefull... I think Jurgen's point is stronger and there are several ways to regenerate a "real" SAP_ALL again which would then have a rather (un)intended affect...
Rather stick it out and tell them "No". This is also where having an emergency user solution can be quite usefull as well - to deal with all the examples of exceptions which happened twice last year... (for example
Cheers,
Julius
09-02-2008 2:56 PM
Hi again,
nevertheless as mentioned already cusotmer objects can be excluded from SAP_ALL
(re)generation you could simply create a backup from a current sap_all profile (without your cusomt objects included) to overcome such a problem in the future. In SU02 you have a transport link for profiles. so create a transport of the version you require. You can import that afterwards whenever and wherever you need it.
b.rgds, Bernhard
09-02-2008 10:47 AM
Hi Melanie,
the aim of SAP_ALL is, to contain all authorizations.
there are only some small exceptions, which can be configured. You can find them in SAP note #410424.
The function to update generated profiles is disabled (of course with a little debuging it is still possible.....).
b.rgds, Bernhard
09-02-2008 3:00 PM
Hello,
I put in the table PRGN_CUST id = 'ADD_ALL_CUST_OBJECTS' path = 'N'. I regenerated the SAP_ALL profile.
Now I have only the standard object in my profile and all works normally.
Thanks to all !
It's good now.
Best regards,
Mélanie